Open in app

Sign in

Write

Sign in

Formalizing Cyber Threat Intelligence Planning: Part VIII

SecureSet
Command Line
Published in
7 min readMar 5, 2019

--

Part 8 of 10: Tasks, Facts, Assumptions, and Constraints by Chris Ruel, Army Special Forces.

“Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.” — General George S. Patton, U.S. Army

The last seven posts only took us up to Step 2 of the Mission Analysis process, Intelligence Preparation of the Environment (IPE). In this post, we will cover Steps 3 through 6. These steps are far more intuitive than the previous ones, so as detailed of an explanation isn’t required. Some of these processes can even be executed concurrently with IPE.

Step 3: Determine specified, implied, and essential tasks.

A task is a clearly defined and measurable activity. In the context of operations, it is a clearly defined and measurable activity that supports (or is supported by) other tasks to accomplish an objective. In Part 2 of 10: Analyzing Higher’s Plan, we discussed mission statements and intent. The mission statement always includes a task to be accomplished. Tasks come in three types: Specified, Implied, and Essential.

Specified Tasks: These tasks are spelled out for you directly. It is specifically assigned by your higher-ups. They can be written or verbal, but they should not be ambiguous. For Example: “Jane, you will back up all of the cloud-based servers for our European Division weekly, to the server located on the premises.” Jane’s task is clearly defined and measurable.

Implied Tasks: These tasks support specified tasks and must be performed in order to accomplish the specified task. They are not spelled out by your higher-ups and require additional analysis. Often, regulations and company policy will disclose implied tasks. Take the above example with Jane, what might some implied tasks be? Since it’s dealing with data from Europe, there might be a GDPR compliance issue. What about if the data contains PII from American employees overseas? It is implied that all of this will be taken into consideration when executing the tasks.

Essential Tasks: After you have a grasp on the specified and implied tasks and ensure you and your team understand the purpose and requirements of each, you identify the essential tasks. These tasks can be specified or implied and must be completed to accomplish the mission. Essential tasks are always included in the Mission Statement. If you are a company that deals with health care data, ensuring that you are HIPPA compliant is an essential task.

Understanding what is being asked of you is paramount to developing and executing an effective plan. This helps nest the plan. When a plan or action is nested with the larger company strategy it promotes a unity of effort.

Step 4: Review Available assets and determine shortfalls

You will never work in an environment of unlimited resources. Even if a million dollars is a rounding error in your budget, technology, talent, and time may not be readily available. Let's say a project would require 10 additional security engineers. How quickly could find and hire that many talented people? What if, additionally, it required that they were all familiar with Amazon Web Services and held Top Secret clearances? Good luck!

A good practice for any organization is to maintain running estimates. What goes into a running estimate will vary greatly depending on the nature of the business. There are; however, a few universal items that are applicable to almost every organization.

Task Organization: The “Task Org” is a document that shows the relationships between various entities both inside and outside the organization. It should include the nature of the relationship, the capabilities, limitations of the entity, and points of contact. In the event of a major security incident, the last thing you want to be doing is wasting time figuring who to contact in your Joint Venture partner’s organization to reset the system… in Mumbai…on a Saturday…at three o’clock in the morning.

Budget: How much money are you authorized to spend? What does your runway look like? Are there any large purchases coming up? Knowing what is financially feasible can help eliminate course of action before time is wasted on them.

Talent: On small teams, this may seem unnecessary, but your boss may not know everyone on the team. What if you move on and your replacement is from outside the organization? It’s also useful to know what credentials and certifications people have. What about other skills? It could come in handy to know who is skilled at C# or Python.

Over time, experience will guide the development of your running estimates. They are balanced with the specified, implied, and essential tasks to determine if there are any shortcomings or deficiencies that need to be addressed. Often the result is the request for additional resources. Assets are analyzed more thoroughly during Course of Action (COA) Development, an event that occurs after Mission Analysis.

Step 5: Determine Constraints and Limitations

A constraint is a restriction placed on an organization internally. This usually comes from higher up in the organization and dictates an action or inaction. It limits your freedom to maneuver by stating you must or mustn't do. Often they are found in company policy letters or regulations. GDPR, PCI, and HIPAA all place constraints on data usage, transfer, and storage. Sometimes constraints are directed for specific projects. Examples include budgets (“You can only spend _______ dollars”), timelines (“Patches must be installed within ____ hours of notification”), or systems (“You can only use services from _________”).

Limitations are identified from the shortcomings discovered in the previous step. They are the effects on operations as a result of the deficiencies. Let’s say you have only one trained SEIM operator on staff and he or she can only work from 9 AM to 5 PM, Monday to Friday. Until you hire or train more, you are limited to 40 hours of coverage per week. If you are told you can only hire one person for the job, then it is a constraint. Presenting constraints and limitations to decision makers will help them manage expectations and possibly prevent you from being put in an impossible situation.

Step 6: Identify critical facts and develop assumptions

When we plan, we plan with an imperfect understanding of the world. We are not omniscient nor are we able to see the future. Some information we can safely take at face value, while some must be created as place holders until the truth is known. Facts are statements of truth or statements that are believed to be true at the time. Assumptions are suppositions on present situations and presuppositions on future ones. They must always be identified as such and replaced with facts as soon as they are known. Some examples of facts:

  • The new regulations will go into effect on January 1st.
  • 75% of our servers show indicators of compromise.
  • Our budget for the upgrade will be $1,000,000.

As I mentioned in Part 3, the person that tells you never to assume because, “When you ASSUME you make an ASS of U and ME”, is either 1) omniscient, 2) supremely arrogant, or 3) An idiot. Assumptions are perfectly fine as long as they meet three criteria: They must be valid (containing premises from which the conclusion may logically be derived, correctly inferred, or deduced. Are they likely to be true?). They must be necessary (essential for planning purposes), and they must be considered true (treated like facts until proven untrue or facts emerge). Continuing with the three facts presented above, what would be some assumptions that are related to those facts? Maybe:

  • There will be some form of grace period to convert legacy systems
  • The other 25% of the servers have been compromised and we have yet to discover it
  • Additional funds will become available at the end of the year, like the 5 years previous.

Assumptions are not without their dangers and should be used sparingly. The more assumptions you use, the higher the probability your analysis will be flawed and your plan, invalid. Using assumptions will also force planners to develop branch plans in the event the assumptions prove false. Even with those points considered, “an unstated assumption may prove more dangerous than a stated assumption proven wrong.”

The next step in the process of Mission Analysis, Step 7, is Composite Risk Management (CRM). Since there is so much already written in that field of study, I decided to skip that section and move to Step 8, Develop Intelligence Requirements. In the next installation, I will discuss how we identify and fill gaps in our knowledge.

If you’re just joining us for this series, you can catch-up by reading Formalizing Cyber Threat Intelligence Planning: Part I, Part II, Part III, Part IV, Part V, Part VI and Part VII.

Christopher Ruel is an Army Special Forces Officer with years of operational experience overseas. He has also worked closely with the Intelligence Community in pursuit of US strategic objectives. He has earned a BA in history, as well as an MBA with a concentration in Business Analytics.

Leadership

--

--

SecureSet
Command Line

Written by SecureSet

222 Followers

The #cybersecurity bootcamp with campuses in #Denver and #CoSprings. A @flatironschool. Educating the next generation of cybersecurity professionals.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams